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INTERNAL PROCEDURE FOR ISSUING MONETARY PENALTY 
NOTICES 


Introduction 


Under section 55A to E of the Data Protection Act 1998 (‘Act’) the 
Information Commissioner (‘Commissioner’) may, in certain 
circumstances, serve a Monetary Penalty Notice on a data controller. 


In addition, the Privacy and Electronic Communications (EC Directive) 
(Amendment) Regulations 2011 inserted section 55A to E of the Act into 
the Privacy and Electronic Communications (EC Directive) Regulations 
2003 (‘PECR’), enabling the Commissioner to serve a Monetary Penalty 
Notice on a person who breaches PECR. 


A Monetary Penalty Notice is a notice requiring a data controller or person 
to pay a monetary penalty of an amount determined by the Commissioner 
and specified in the notice. The amount of the monetary penalty 
determined by the Commissioner must not exceed £500,000. 


The Commissioner is required to prepare and issue Guidance about how 
he proposes to exercise his power to serve Monetary Penalty Notices 
which is available on the ICO website - 


https://ico.org.uk/media/for-organisations/documents/1043720/ico- 
guidance-on-monetary-penalties. pdf 


It should be read in conjunction with the Data Protection (Monetary 
Penalties) (Maximum Penalty and Notices) Regulations 2010 and the Data 
Protection (Monetary Penalties) Order 2010. 


Procedure 


In terms of how work is handled within the ICO the following procedures 
should be followed: 


1. For cases under section 5A PECR, please refer to the agreed process 
for decision making which is available from the Team manager of 
the Anti-Spam Investigation Team. 


2. In all other cases, in order to take a matter forward the Group 
manager will convene a Case Working Group (‘Group’) comprising 
the Group manager, the Team manager, the case officer and a 
lawyer. The Group will consider the case officer’s report (‘Report’) 
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and whether the criteria for the imposition of a monetary penalty 
have been met and whether, given the particular circumstances of 
this case and the underlying objective in imposing a monetary 
penalty, the imposition of such a penalty is justified. 


3. Once it has been decided that a monetary penalty should be 
imposed, the Group (apart from the case officer) will then consider 
what would be the appropriate and proportionate level of monetary 
penalty within the prescribed limit of £500,000 in accordance with a 
5-step framework for determining the amount of a monetary 
penalty. 


Step 1 - nature and seriousness of the contravention or 
collection of breaches 


The Group will determine a starting figure that reflects the nature 
and seriousness of the contravention of the Act by the data 
controller or collection of breaches of PECR by a person. 


This will involve looking at the nature of the contravention or 
collection of breaches together with the scope of the potential harm 
caused, and a consideration of what is reasonable and 
proportionate, given the circumstances of the case. 


The initial view is based on the sanction available based on the 
statutory maximum of £500,000, which will be considered against a 
‘nature and seriousness’ rating as follows: 


e Level A = £1 to £10,000 


e Level B = £10,001 to £40,000 


e Level C = £40,001 to £100,000 


e Level D = £100,001 to £250,000 
e Level E = £250,001 to £500,000 


Once the level of nature and seriousness has been determined, the 
starting figure will be set by moving upwards or downwards in the 
band dependent on the specific circumstances of the case. 


For contraventions under the Act, the Group will take into account 
the number of data subjects affected, the period over which the 
contravention extended, and the type of data that was involved in 
the breach. Because contraventions under the Act must involve the 
likelihood of substantial damage and/or substantial distress they are 
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likely to fall into Level C or above. 


For PECR breaches, the Group will take into account the number of 
unlawful communications which were the subject of complaints, the 
types of complaints and the period over which the collection of 
PECR breaches extended. 


It should be borne in mind that penalties are set on a continuous 
scale. Therefore a particular contravention or collection of breaches 
should reach the same starting point whether it is rated as, for 
example, Level B and adjusted upwards on the circumstances of the 
case or rated as Level C and adjusted downwards. 


Step 2 - aggravating and mitigating factors 


The Group may increase or decrease the amount of the monetary 
penalty arrived at after Step 1 to take into account factors which 
aggravate or mitigate the contravention or collection of breaches. 
The factors that may have the effect of aggravating or mitigating 
the contravention are not those that relate directly to the breach, 
for example, the nature of the data or number of data subjects. 
They are factors such as the behaviour of the data controller or 
person following the breach, whether the data controller had 
previously declined to submit to an audit, the general record of the 
data controller or person and any other factors taken into account 
that were not considered at Step 1. 


Step 3 - financial impact on the data controller 


The Group may increase or decrease the amount of the monetary 
penalty arrived at after Step 2 to take into account the likely 
financial impact of a monetary penalty on the data controller or 
person. In particular, the Group will take into account any proof of 
genuine financial hardship which has been supplied by a data 
controller or person. 


Step 4 - underlying objective 


It is important that there is consistency in the monetary penalties 
set by the ICO. The above steps are only a guide but should help 
achieve consistency in the penalties set. However, the Group 
should review the proposed penalty against others set in 
comparable cases and satisfy themselves that consistency has been 
achieved, or adjust the figure arrived at upwards or downwards. 
Also, if the Group considers that the figure arrived at after Step 3 is 
insufficient to promote compliance with the Act or PECR having 
regard to the underlying objective in imposing a monetary penalty, 
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then the Group may increase the monetary penalty. 
Step 5 - final determination 


The Report and any Decision Record will be signed by the Head of 
the Enforcement department and placed before a Commissioner or 
Deputy Commissioner (‘Commissioner’). He will consider whether 
or not to proceed and/or determine a final figure bearing in mind 
what is reasonable and proportionate given the particular facts of 
the case, the need for consistency, and the underlying objective in 
imposing the monetary penalty. 


4. If so advised, the lawyer will draft a Notice of Intent containing the 
prescribed information which will be referred to the Commissioner 
for his approval and signature. The legal team will then send the 
Notice of Intent to the data controller or person by Special Delivery 
who will be given 28 calendar days from the date the notice was 
sent to make representations to the Commissioner which must be 
considered. 


5. Having taken full account of any representations the data controller 
or person has made and the deliberations of those within his office 
who have recommended this course of action, the Commissioner 
will make a final decision on whether or not to impose a monetary 
penalty and, if so, determine an appropriate and proportionate 
monetary penalty. 


6. If so advised the lawyer will draft a Monetary Penalty Notice 
containing the prescribed information which will be referred to the 
Commissioner for his approval and signature. The legal team will 
then send the Monetary Penalty Notice to the data controller or 
person by Special Delivery. 


7. The Monetary Penalty Notice will be published on the ICO website 
with any confidential or commercially sensitive information redacted 
if requested and in accordance with the ‘Communicating our 
enforcement and regulatory activities policy’ on the ICO website - 


https://ico.org.uk/media/about-the-ico/policies-and- 
procedures/1890/ico_enforcement_communications_policy.pdf 


8. If a data controller or person either fails to pay the monetary 
penalty to the Commissioner or lodge an appeal at the Tribunal 
within 28 calendar days of the Monetary Penalty Notice being sent, 
the matter should be referred to the lawyer for enforcement. 
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